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Abstract 

The information provided by global positioning 
systems is never totally exact, and there are al- 
ways errors when measuring position and veloc- 
ity of moving objects such as aircraft. This pa- 
per studies the effects of these errors in the ac- 
tual separation of aircraft in the context of state- 
based conflict detection and resolution. Assum- 
ing that the state information is uncertain but that 
bounds on the errors are known, this paper pro- 
vides an analytical definition of a safety buffer 
and sufficient conditions under which this buffer 
guarantees that actual conflicts are detected and 
solved. The results are presented as theorems, 
which were formally proven using a mechanical 
theorem prover. 

1 Introduction 

Advances in global positioning systems and com- 
munication technology have enabled new air traf- 
fic management concepts where the responsibil- 
ity for separation is air/ground distributed. One 
of such concepts is state-based conflict detec- 
tion and resolution (CD&R), a tactical approach 
for probing and solving air traffic conflicts that 
only relies on the state information, i.e., the cur- 
rent position and velocity vectors of the aircraft. 
Over the last years, several algorithms for state- 
based CD&R have been proposed [1,3, 5, 8, 11]. 
Given the critical role that these systems play 
in the airspace system, some of these algorithms 


and concepts [7, 10, 11] have been formally ana- 
lyzed for safety properties such as independence, 
i.e., minimum separation is guaranteed when one 
of the aircraft maneuvers, and implicit coordi- 
nation, i.e., minimum separation is guaranteed 
when both aircraft maneuver with no explicit co- 
ordination between them [4], In general, the ver- 
ification that a given algorithm satisfies theses 
safety properties assume that the aircraft state in- 
formation is accurately known. 

The position provided by global navigation 
satellite systems like GPS is accurate up to a few 
meters (about 10m). 1 Errors in position and ve- 
locity data negatively affect the minimum sepa- 
ration guaranteed by CD&R systems. Therefore, 
when CD&R algorithms are used in practice, a 
safety buffer is added to the minimum separation 
to accommodate for the imprecision in the state 
information. The size of the safety buffers is usu- 
ally determined by experimentation and simula- 
tion. 

This paper presents a formal analysis of the 
effects of errors in position and velocity informa- 
tion of pairwise state-based CD&R algorithms. 
Under the assumption that the bounds of position 
and velocity errors in the state information of the 
ownship and traffic aircraft are known, this paper 
rigorously provides answers to questions such as 
(a) what is the actual minimum separation de- 
tected by a CD&R algorithm that assumes per- 


^ee http : / / www . kowoma . de/en/gps/ 
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feet information? and (b) how large has to be the 
safety buffer to guarantee a given minimum sep- 
aration when the conflict is resolved by a CD&R 
algorithm that assumes perfect information? The 
mathematical development presented in this pa- 
per, including formal proofs of all lemmas and 
theorems, 2 has been mechanically checked using 
the interactive theorem prover PVS (Prototype 
Verification System) [12], a higher-order logic 
based theorem prover developed by SRI Interna- 
tional. 3 For readability, this paper uses standard 
mathematical notation instead of PVS syntax. 

2 Basic Definitions 

As typical of pairwise state-based CD&R ap- 
proaches, a 2-dimensional airspace is considered 
with two distinguished aircraft: the ownship and 
the intruder aircraft, which represents a traffic 
aircraft. Moreover, aircraft dynamics are repre- 
sented by a point moving at constant linear speed 
in a 2-dimensional Euclidean space. 


< £ so, (1) 

< £ si; (2) 

< £ ao > (3) 

^ £ go i (4) 

< Sou, (5) 

< %•, ( 6 ) 

where e so and £„■ are strictly positive constants 
that denote the position error bounds for the 
ownship and intruder aircraft, respectively; e ao 
and £c« are strictly positive constants that denote 
the track error bounds for the ownship and in- 
truder aircraft, respectively; and £ go and £ g( - are 
strictly positive constants that denote the ground 
speed error bounds for the ownship and intruder 
aircraft, respectively. Furthermore, given a 2- 
dimensional vector u, the expression ||u|| denotes 
the norm of u, i.e., 


U ll = A/ M .X 2 +% 2 5 


So 


|| Si — Sj | 

| track{\ 0 ) — track (\™) 


Vo - v n 


\track(\i) — trackiy {”) 


Vi - V ' 


2.1 Error Bounds 

The ownship’s and intruder’s actual positions are 
denoted by the vectors s 0 = (s ox , s oy ) and Si = 
(sj x .Sjy), respectively. The ownship’s and in- 
truder’s actual velocity vectors are denoted by 
V 0 = ( v 0 x,v 0 y ) and vj = (v ix ,v iy ), respectively. 
Since the actual vectors are unknown to CD&R 
algorithms, this paper also considers the mea- 
sured position and velocity vectors of each air- 
craft, which are denoted s“ = (s™ x ,s™ y ) and vj] 1 = 
(v'' )X . v™ y ), respectively, for the ownship; and s!" = 
(s™,s™) and Vj = (v“,v™), respectively, for the 
intruder aircraft. Bounds on the position and ve- 
locity errors are assumed to be known, i.e., 


2 For technical details on the proofs of the proper- 
ties enounced in this paper, the reader is referred to 
the PVS development available at http : / / shemesh . 
larc . nasa . gov/ people/ cam/ ACCoRD. 

3 PVS is electronically available at http://pvs. 
csl . sri . com. 


and track( u) denotes the track angle of u, i.e., the 
angle a measured clockwise from the North that 
satisfies 


u = (||u|| sina, ||u||cosa). 

Since £ ao , £ a; -, £ go and £ g; - are measure er- 
rors, they are small compared to the measured 
values. Therefore, the following inequalities are 
assumed. 


K 

£ a o < 2’ 

£ < llv m ll 

t g o h: || » 0 II 1 

V™|| (1 -COS£ ao ) < £ go . 


(7) 


£ ai < 


7t 

2’ 


p . < v. 

tgi II || 5 


( 8 ) 


1 1 Vj” 1 1 (1 — COSEcu) < £ g (. 

2.2 Aircraft Separation 

In a 2-dimensional airspace, the separation crite- 
rion for two aircraft is specified as a minimum 
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horizontal separation D. A conflict between the 
ownship and the intruder occurs when there is a 
time within a lookahead time T such that the dis- 
tance between the aircraft is less than D. Typi- 
cally D is 5 nautical miles and T is 5 minutes. 
Formally, the ownship and the intruder aircraft 
are in conflict if there exists 0 <t<T such that 
at time t the following inequality holds 

|| (s 0 "F t v 0 ) (sj + 1 vj) || <D. 

Since (s 0 + 1 v 0 ) - (sj + t Vj) = (s 0 - Sj) + 
t (v 0 — Vj), the predicate that characterizes con- 
flict can be defined on s = s 0 — Sj and v = v 0 — Vj, 
i.e., the relative position and velocity vector, re- 
spectively, of the ownship with respect to the in- 
truder. That is, conflict can be viewed as a predi- 
cate on two vectors s and v rather than a predicate 
on four vectors s 0 , v 0 , Sj, and Vj. Thus, the predi- 
cate conflict? is defined as follows. 

conflict ?(D,T, s,v) = 

3 0 < t < T : ||s + f v|| < D. 

Since it greatly simplifies the notation, posi- 
tion and velocity will usually be given in the rel- 
ative framework where the intruder is fix at the 
origin of the coordinate system and the ownship 
is moving relative to the intruder. In this rela- 
tive view, s w and v m will denote the measured 
relative position and velocity vectors sJJ 1 — sP and 
v™ — vj", respectively. 

Graphically, the separation criterion can be 
understood as an imaginary circular area of diam- 
eter D around each aircraft and a conflict between 
two aircraft as a predicted overlapping of these 
areas. In the alternative but equivalent relative 
view, only the intruder is surrounded by a circle, 
called the protected zone , of radius D. From this 
perspective, a conflict between these two aircraft 
is equivalent to the existence of a time 0 <t <T 
at which the ownship is in the interior of the in- 
truder’s protected zone. For example in the left 
side of Figure 1 , the upper point represents the 
ownship with its velocity vector and its avoid- 
ance area (circle of diameter D around the air- 
craft). The lower point represents the traffic air- 
craft. The right side represents the same infor- 
mation in the translated coordinate system. The 


D -H 






\^- D -^8N 


Fig, 1 Translated Coordinate System 


two aircraft are potentially in conflict because the 
half-line defined by the relative velocity vector v 
intersects the protected area around the traffic air- 
craft. 


2.3 Conflict Detection and Resolution Algo- 
rithms 

A conflict detection algorithm cd is a function 
that takes as parameters D, T, and the measured 
position and velocity vectors of the aircraft, i.e., 
sJJ 1 , v™, sj 11 , vP. It returns a Boolean value such 
that CD(D , T, s“, v™, sP, vj”) = t rue if and only 
if 

conflict ? {D , T, sJJ 1 — sj” , vJJ 1 — vj” ) , 

i.e., it returns t rue if there is a conflict assuming 
perfect state information. 

A conflict resolution algorithm cr is a func- 
tion that takes as parameters D, T, and the mea- 
sured position and velocity vectors of the aircraft, 
i.e., sJJ 1 , v™, sj”, yP. It returns a set of velocity 
vectors w™ that, if implemented by the ownship 
in zero time, solves any impending conflict as- 
suming perfect state information, i.e., 

^conflict? (D, T, sJJ 1 — sj”, w™ — vj”) . 

In this paper, these algorithms are abstract, 
i.e., no particular implementation of cd and 
cr are considered. In other words, the results 
that have been obtained hold for any state-based 
CD&R algorithm that correctly implement the 
specifications above such as those in KB3D [3] 
and NASA’s ACCoRD [11]. 
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This paper provides the mathematical defini- 
tion of a safety buffer \|/ that satisfies the follow- 
ing properties: 

1. cd( J D + \|/,r,sJJ 1 ,v]J 1 ,sj n ,v| n ) = false im- 
plies 

- <conflict?(D , T, s 0 — Sj . v 0 — Vj). 

2. wJJ 1 G cr(D + \\f, r,s™,v™,Sj n ,v| 11 ) implies 

-i conflict? (D, T, s () — Sj , wJJ 1 — Vj). 


I 



The first property states that a conflict detection 
algorithm that uses a protected zone extended 
by \\f has no missed-alerts. The second prop- 
erty states that a conflict resolution algorithm that 
uses a protected zone extended by \j/ returns res- 
olution maneuvers that guarantee an actual min- 
imum separation D. The safety buffer \|/ is an 
upper bound on the error in the minimum sepa- 
ration incurred by CD&R algorithms that assume 
precise aircraft state information. 

3 Relative Position and Velocity Errors 

By simple algebraic manipulations and triangular 
inequality 


Fig. 2 Ownship Velocity Error Bounds 

intruder, and ground speed error bounds, e g0 for 
the ownship and £ g( - for the intruder. However, 
as illustrated by Figure 2, velocity errors are also 
bounded by a circle. In the case of the ownship, 
the velocity error bound £ vo is defined from e ao 
and £ go as follows. 

£vo = V^IICII (||v“||+£ go )(l -cos£ ao )+e go 2 . 

( 11 ) 

Similarly, the velocity error bound for the in- 
truder e v i is defined from e a; - and e g ,- as follows. 

£vi = y / 2||vj n || ( 1 1 v!" 1 1 +%•)(!- cos Ecu) + e g( - 2 . 


1 1 s — s m 1 1 = || (s 0 — sj) — (sJJ 1 — sj 1 
= ||(s„-s“) + (s i -sl 
< ||s 0 -s“|| + || Sj Sj 

^ £.SO "F £.S7 • 


D 

D 

mu 


Therefore, the relative position error is bounded 

by £so T" £ si- 


Theorem 1 (Relative Position Error) Let s 0 , Sj, 

sJJ’, sj 1 ’, £ so , and £„■ be such that they satisfy for- 
mulas (1) and (2). The relative position error is 
bounded by a circle of radius 


£s — £so "F £.s / • (10) 

i.e., ||s — s w || < £ v . Moreover, £ s > 0. 


The following lemma states that £ vo and £,,/ 
are indeed bounds on the velocity errors of the 
ownship and intruder aircraft, respectively. 


Lemma 3.1 Let v 0 , v,, v™, vj”, £ ao , £ go , £« u and 
£ g i be such that they satisfy formulas (3)-(8). It 
holds that 


V 0 



< £ 


2 


< £ 


2 

vr 


Lemma 3. 1 is used to estimate the relative ve- 
locity error as shown by the next theorem. 


Theorem 2 (Relative Velocity Error) Let v 0 , 

Vj, v™, v|”, £ ao , £ go , £a i, and £„/ be such that they 
satisfy formulas (3)-(8). The relative velocity 
error is bounded by a circle of radius 


Velocity errors are given in terms of track er- 
ror bounds, £ ao for the ownship and £ a ,- for the 


£ v — E vo + £,,, , 


i.e., || v — v m || < £ v . Moreover £ v > 0. 


( 12 ) 
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Fig. 3 Cone of Possible Trajectories 



Fig. 4 Missed-alerts 


In the relative coordinate system, the position 
and velocity error bounds £ v and £ v define a cone 
in the airspace that contains all possible linear 
trajectories around the measured position and ve- 
locity vectors s m and \ m . This cone is illustrated 
by Figure 3. 


Theorem 3 (Conflict Detection) Let s 0 , v 0 , sj, 

Vj, s™ v™, s! n , v! n , £ so , e si , e ao , £g 0 , £«„ and E gi 
be such that they satisfy formulas (l)-(8). If 

cd(D + \|/,T,s“,v™,s| n ,vj n ) = false, 


4 Conflict Detection and Resolution Under 
Uncertainty 


then 


^conflict ?(D, T, s 0 — Sj, v 0 — Vi) , 


To accommodate for the difference between the 
actual aircraft states and the measured ones, 
state-based CD&R algorithms are typically used 
with a protected zone extended by a safety buffer. 
This section provides analytical formulas to com- 
pute a safety buffer for state-based conflict de- 
tection and resolution algorithms that guarantees 
no missed-alerts and an actual minimum separa- 
tion D. 


where 


x = min(r, 


+ £y 


+ £ v ) - 


■£v ) 2 


\|/ = £,+T£ v , 


and E s , £ v , are defined as in theorems 1 and 2, re- 
spectively. 

4.2 Conflict Resolution 


4.1 Conflict Detection 

Because of position and velocity uncertainties, 
conflict? {D, T , s,v) does not necessary imply 
conflict ?(D,T, s OT ,v OT ). For instance, Figure 4 il- 
lustrates situations where the actual position and 
velocity vectors s and v may lead to a conflict, 
but that conflict is not detected with the measured 
state information s m and v OT . 

The following theorem provides the defini- 
tion of a safety buffer \j/ that guarantees that a 
state-based conflict detection algorithm has no 
missed-alerts. 


In a similar way to conflict detection algorithms, 
state-based conflict resolution algorithms that as- 
sume precise aircraft state information may re- 
turn resolution maneuvers that do not keep the 
aircraft separated. 

The conflict detection safety buffer \| t can also 
be used with conflict resolution algorithms to 
compute resolution maneuvers that keep aircraft 
separated (assuming that the resolution maneu- 
vers are implemented in zero-time by the own- 
ship). Indeed, let w" 1 be a resolution maneuver 
for the ownship computed by cr, i.e., 


w“Gcr(D + ¥ ,r,s™,v“s|”,vr). 
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Fig. 5 Conflict Resolution Under Uncertainty 



Fig. 6 Relative Ground Speed vs. Safety Buffer 


By definition of cr, 


• Sow = £cu = 3 degrees. 


-i conflict?(D + \|t, T. s“ — sj”, w“ — v“) . 
Thus, by definition of cd, 

cd(T) + \|/, r,sJJ 1 ,wJJ 1 ,s| n ,v| 11 ) = false. 
By Theorem 3, 

-i conflict?(D, T, s 0 — Sj , w"’ — Vj) . 


Theorem 4 (Conflict Resolution) Let s 0 , v 0 , Sj, 

Vj, s“ v“ s“ v“ e.so, e.vi, e ao , e go , e ai , and £„, 
be such that they satisfy formulas (l)-(8). If 

wJJ 1 e cr(D + \|/, T, sJJ 1 , vJJ 1 , s|" ,v|”), 


then 


-^conflict? (D, T, s 0 — Sj , w™ — V{) . 

Figure 5 illustrates Theorem 4, where the rel- 
ative vector w m , which denotes wJJ 1 — v! 1 ’, is as- 
sumed to be tangent to the extended protected 
zone. 


5 Numerical Examples 

Assume the following error bound values: 
• e so = e si = 10 feet. 


• e g0 = Egi = 5 knots. 

These values are used as indicators and do not 
represent actual error values of a global position- 
ing system such as GPS. 

Figure 6 plots relative ground speed, i.e., 
||v m || in knots, against the corresponding safety 
buffer, i.e., \j/ in nautical miles, for 3 different dis- 
tances d = ||s m || between the aircraft: 10 nautical 
miles, 20 nautical miles, and 30 nautical miles. 
The value of \j/ depends on the minimum between 
the lookahead time T and the time of minimum 
approach between the aircraft. When the aircraft 
are far away, the value of T dominates the ex- 
pression and the size of the buffer increases as 
the relative ground speed increases. Eventually, 
the time of minimum approach dominates the ex- 
pression and from that point on the size of the 
buffer decreases as the relative ground speed in- 
creases. 

Figure 7 and 8 use a fixed relative ground 
speed of 400 knots. Figure 7 shows that the safety 
buffer increases as the track error varies from 1 ° 
to 5°, assuming that the ground speed error bound 
is 5 knots. Similarly, Figure 8 shows that the 
safety buffer increases as the ground speed error 
varies from 1 knot to 5 knots, assuming that the 
track error bound is 3 degrees. Not surprisingly, 
the track error has a greater impact on the value of 
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Track Error [deg] 


Fig. 7 Track Error vs. Safety Buffer 


\|/ than the ground speed error. Indeed, the track 
error bound determines the span of the cone of 
possible trajectories depicted in Figure 3. 

6 Related Work and Conclusion 

In [13], Zhao presents a semi- analytical approach 
to determine appropriate separation minima be- 
tween aircraft that takes into consideration wake- 
vortices and flight technical errors. The paper de- 
fines the uncertainty region as the difference be- 
tween the measure and actual trajectories in an 
interval of time. The uncertainty region is an 
ellipsoid and the interval time is the maximum 
between the surveillance interval and the time 
needed for conflict avoidance. The paper does 
not study the effect of uncertainty regions on the 
conflict detection and resolution logic. In [2], 
Consiglio et al. measured the impact of wind pre- 
diction to determine the additional safety buffer 
needed to preserve separation. The study is based 
on high-fidelity simulation. Erzberger et al. [6] 
propose a conflict detection algorithm that uses 
stochastic analysis on predicted trajectory errors 
for estimating the probability of conflict as a 
function of the state information. In the context 
of strategic conflict detection, Karr [9] describes 
different types of prediction error and proposes 
an algorithm to detect conflicts between trajecto- 



Ground Speed Error [knots] 


Fig. 8 Ground Speed Error vs. Safety Buffer 


ries that uses a notion of dynamic safety buffers. 

The focus of this paper is the analytical def- 
inition of a safety buffer for state-based con- 
flict detection and resolution algorithms assum- 
ing that the position and velocity errors are un- 
known but bounded. The approach presented 
here can be seen as a worst-case analysis and may 
be used as a base-line for more precise calcula- 
tions that take into account aircraft performance, 
different type of trajectory errors, and intent in- 
formation. 

Last, but not least, it is emphasized that the 
mathematical development presented in this pa- 
per has been mechanically checked in a theo- 
rem proven Given the critical nature that CD&R 
systems play in the next generation of air traffic 
systems, this verification step provides additional 
correctness evidence to the safety case of these 
systems. 

References 

[1] K. Bilimoria. A geometric optimization ap- 
proach to aircraft conflict resolution. In Guid- 
ance, Navigation, and Control Conference, vol- 
ume AIAA 2000-4265, Denver, CO, August 
2000. 

[2] Maria Consiglio, Sherwood Hoadley, and 
B. Danette Allen. Estimation of separation 
buffers for wind-prediction error in an airborne 


7 


HEBER HEREN CIA-Z APANA* , JEAN-BAPTISTE JE ANNIN**, CESAR MUNOZ*** 


separation assistance system. In Proceedings 
of the 8th USA/Europe Air Traffic Manage- 
ment R&DSeminar, ATM 2009 , Napa, Califor- 
nia, June-July 2009. 

[3] G. Dowek, A. Geser, and C. Munoz. Tacti- 
cal conflict detection and resolution in a 3-D 
airspace. In Proceedings of the 4th USA/Europe 
Air Traffic Management R&DSeminar, ATM 
2001 , Santa Fe, New Mexico, 2001. A long ver- 
sion appears as report NASA/CR-200 1-2 10853 
ICASE Report No. 2001-7. 

[4] G. Dowek and C. Munoz. Conflict detection and 
resolution for 1,2,. . . N aircraft. In 6th AIAA Avi- 
ation Technology ; Integration and Operations 
Conference ( ATIO ), Belfast, Northern Ireland, 
September 2007. 

[5] M. Eby. A self-organizational approach for re- 
solving air traffic conflicts. Lincoln Laboratory 
Journal , 7(2):239-254, 1994. 

[6] Heinz Erzberger, Russell A. Paielli, Douglas R. 
Isaacson, and Michelle M. Eshowl. Conflict de- 
tection and resolution in the presence of predic- 
tion error. In Proceedings of the 1st USA/Europe 
Air Traffic Management R&DSeminar, ATM 
1997 , Saclay, France, June 1997. 

[7] A. Galdino, C. Munoz, and M. Ayala. Formal 
verification of an optimal air traffic conflict res- 
olution and recovery algorithm. In Proceed- 
ings of the 14th Workshop on Logic, Language, 
Information and Computation , Rio de Janeiro, 
Brazil, July 2007. 

[8] J. Hoekstra, R. Ruigrok, R. van Gent, 
J. Visser, B. Gijsbers, M. Valenti, W. Hees- 
been, B. Hilburn, J. Groeneweg, and F. Bussink. 
Overview of NLR free flight project 1997-1999. 
Technical Report NLR-CR-2000-227, National 
Aerospace Laboratory (NLR), May 2000. 

[9] David Karr. Conflict detection with dynamic 
buffers. Technical report, Titan corporation, 
May 2005. 

[10] J. Maddalon, R. Butler, A. Geser, and 
C. Munoz. Formal verification of a conflict 
resolution and recovery algorithm. Technical 
Report NASA/TP-2004-213015, NASA Lang- 
ley Research Center, NASA LaRC, Hampton VA 
23681-2199, USA, April 2004. 

[11] C. Munoz, A. Narkawicz, R. Butler, and 
G. Dowek. Mathematical framework for the de- 


sign and verification of state-based separation 
assurance algorithms. Manuscript. 

[12] S. Owre, J. Rushby, and N. Shankar. PVS: A 
prototype verification system. In Deepak Kapur, 
editor, 11th International Conference on Auto- 
mated Deduction (CADE), volume 607 of Lec- 
ture Notes in Artificial Intelligence , pages 748- 
752, Saratoga, NY, June 1992. Springer- Verlag. 

[13] Yiyuan J. Zhao. A systematic procedure for de- 
termining separation minima. In Proceedings 
of 26th International Congress of the Aeronau- 
tical Sciences, 1CAS 2006 , Hamburg, Germany, 
September 2006. 


8 


